MFA by Trusted Device or MFA with mobile app

If you have questions or if you want to share your opinion about Aware IM post your message on this forum
Post Reply
joben
Posts: 221
Joined: Wed Nov 06, 2019 9:49 pm
Location: Sweden
Contact:

MFA by Trusted Device or MFA with mobile app

Post by joben »

We have reached a point where it is difficult to advertise or sell our application due to lack of MFA (Multi-Factor Authentication), which is often a requirement from the customers/end users. Especially with the strict regulations in the EU such as GDPR, the data needs to be protected adequately. We built a Trusted Device solution in AwareIM that unfortunately doesn’t work good enough to be used in production. We need to know if MFA can be implemented in AwareIM in a secure and hassle-free way. Preferably a Trusted Device solution.

Our definition of Trusted Device:
Alice logs in with her username and password for the first time on her new computer.
An email is sent to Alice with a verification link.
Alice clicks the link, and she is now logged in, and the device is considered trusted.
The next time Alice logs in from this computer, email verification is skipped because her device is considered trusted.

Our definition of MFA with mobile app:
Bob logs in with his username and password.
Bob is prompted with a token field.
Bob starts his MFA app (Authy, Google Authenticator or similar)
Bob enters the generated token (or preferably accepts a push message sent to the phone as it is more simple) and is successfully logged in.

Things we don’t consider good ways of solving this problem:
  • Using authentication with Google or Facebook accounts or similar rather than built-in AwareIM user database.
  • IP address or user agent fingerprinting is not a unique identifier when identifying a Trusted Device
We would like to co-operate with forum members who think MFA is important. We hope that a proof of concept can be produced that can be shared with the community. Please get in touch with me or forum member Rem.
Regards, Joakim

Image
hpl123
Posts: 2579
Joined: Fri Feb 01, 2013 1:13 pm
Location: Scandinavia

Re: MFA by Trusted Device or MFA with mobile app

Post by hpl123 »

Joben,
I agree, multi factor authentification options in Aware would be valuable. I have a hacked up two factor login solution using SMS for one of my apps and is OK but would not pass security standards/reviews etc. but could possibly be something to at least think about (i.e if SMS could be used in some way for you).

Regarding the identification of a device you do now for your trusted device solution. How do you capture/identify a device if you can share some details?
Henrik (V8 Developer Ed. - Windows)
PointsWell
Posts: 1457
Joined: Tue Jan 24, 2017 5:51 am
Location: 'Stralya

Re: MFA by Trusted Device or MFA with mobile app

Post by PointsWell »

Intra has a built solution that he demonstrated at Conference. From memory it works with both Authy/Authentictor and over SMS. I'm sure he'd be happy to licence it to you.
aware_support
Posts: 7523
Joined: Sun Apr 24, 2005 12:36 am
Contact:

Re: MFA by Trusted Device or MFA with mobile app

Post by aware_support »

How about MFA provided by DUO (www.duo.com) ?

We have a plugin that supports it. Maybe it will work for you?
Aware IM Support Team
joben
Posts: 221
Joined: Wed Nov 06, 2019 9:49 pm
Location: Sweden
Contact:

Re: MFA by Trusted Device or MFA with mobile app

Post by joben »

aware_support wrote:How about MFA provided by DUO (http://www.duo.com) ?

We have a plugin that supports it. Maybe it will work for you?
Where can I learn more about this?
hpl123 wrote: Regarding the identification of a device you do now for your trusted device solution. How do you capture/identify a device if you can share some details?
It is an overstatement to call it a trusted device solution since we were never able to identify trusted devices, but at least we managed to make an extra login check, like you type your username and password as usual, then you have to click a link that gets sent to your email to actually get logged in. It is based on a secret token. It is not very user-friendly and not exactly ground-breaking. But it was a foundation for the trusted device solution that we never were able to build.
Regards, Joakim

Image
aware_support
Posts: 7523
Joined: Sun Apr 24, 2005 12:36 am
Contact:

Re: MFA by Trusted Device or MFA with mobile app

Post by aware_support »

You can learn about DUO on their web site:
http://www.duo.com
Aware IM Support Team
joben
Posts: 221
Joined: Wed Nov 06, 2019 9:49 pm
Location: Sweden
Contact:

Re: MFA by Trusted Device or MFA with mobile app

Post by joben »

aware_support wrote:You can learn about DUO on their web site:
http://www.duo.com
We are Aware ( :D ) of Duo and we use it with some other products where implementation is simple.

However, we don't know how it's best implemented with AwareIM?
If there is a plugin available, where can we learn more about this?
Regards, Joakim

Image
aware_support
Posts: 7523
Joined: Sun Apr 24, 2005 12:36 am
Contact:

Re: MFA by Trusted Device or MFA with mobile app

Post by aware_support »

From a user point of view he logs in as usual entering his user name and password. If credentials are incorrect then the error message is displayed straight away. However, if they are correct the second part of authentication (provided by Duo) kicks in. The method depends on what you setup in DUO - it can be, for example, a phone call, so you get the phone call and after confirmation the system logs you in Aware IM and displays the starting visual perspective.
Aware IM Support Team
RLJB
Posts: 914
Joined: Tue Jan 05, 2010 10:16 am
Location: Sydney, Australia

Re: MFA by Trusted Device or MFA with mobile app

Post by RLJB »

Sorry for the probably dumb question, but why don't you just configure MFA In aware?

Login sends SMS to user with random code and stores it on reg user with an expiry time then throws to a VP with an input box. User enters codes if wrong or expired kicks them out. If ok then continues to normal VP.

Can put a 7 day expiry on it if you don't want to annoy users.
Rod. Aware 8.6 (latest build), Developer Edition, on OS Linux (Ubuntu) using GUI hosted on AWS EC2, MYSQL on AWS RDS
hpl123
Posts: 2579
Joined: Fri Feb 01, 2013 1:13 pm
Location: Scandinavia

Re: MFA by Trusted Device or MFA with mobile app

Post by hpl123 »

RLJB wrote:Sorry for the probably dumb question, but why don't you just configure MFA In aware?

Login sends SMS to user with random code and stores it on reg user with an expiry time then throws to a VP with an input box. User enters codes if wrong or expired kicks them out. If ok then continues to normal VP.

Can put a 7 day expiry on it if you don't want to annoy users.
Exact thing I did (at least the part with MFA VP and real VP so I have it for ALL logins and not time expired) and works.
Henrik (V8 Developer Ed. - Windows)
hpl123
Posts: 2579
Joined: Fri Feb 01, 2013 1:13 pm
Location: Scandinavia

Re: MFA by Trusted Device or MFA with mobile app

Post by hpl123 »

joben wrote:
aware_support wrote:How about MFA provided by DUO (http://www.duo.com) ?

We have a plugin that supports it. Maybe it will work for you?
Where can I learn more about this?
hpl123 wrote: Regarding the identification of a device you do now for your trusted device solution. How do you capture/identify a device if you can share some details?
It is an overstatement to call it a trusted device solution since we were never able to identify trusted devices, but at least we managed to make an extra login check, like you type your username and password as usual, then you have to click a link that gets sent to your email to actually get logged in. It is based on a secret token. It is not very user-friendly and not exactly ground-breaking. But it was a foundation for the trusted device solution that we never were able to build.
Ok thanks and I am looking for some way to uniquely identify a device upon login and the use it together with the SMS MFA discussed in this post. I have thought about using user agent or user agent together with resolution for this but not sure how unique it would be. If anyone has a good way of uniquely identifying devices please share.
Henrik (V8 Developer Ed. - Windows)
Post Reply